Not surprisingly, Chris Soghoian’s blog post on law enforcement surveillance requests, mentioned here yesterday, has generated a huge buzz in the privacy and civil liberties communities. Chris had attended a closed door conference where members of the intelligence and law enforcement field met with those in the telecom and surveillance fields and had recorded some comments made by Paul Taylor, Sprint/Nextel’s Manager of Electronic Surveillance. In his recorded comments, one can hear Taylor referring to 8 million GPS requests from law enforcement since Sprint had launched a web interface for law enforcement 13 months earlier:
… We have a lot of things that are automated but that’s just scratching the surface. One of the things, like, with our GPS tool, we turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy. So, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.
But did eight million requests translate into eight million Sprint customers? According to Sprint, who responded later yesterday:
The comments made by a Sprint corporate security officer during a recent conference have been taken out of context by this blogger. Specifically, the “8 million” figure, which the blogger highlights in his email and blog post, has been grossly misrepresented. The figure does not represent the number of customers whose location information was provided to law enforcement, as this blogger suggests.
Instead, the figure represents the number of individual “pings” for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year. It’s critical to note that a single case or investigation may generate thousands of individual pings to the network as the law enforcement or public safety agency attempts to track or locate an individual.
Instances where law enforcement agencies seek customer location information include exigent or emergency circumstances such as Amber Alert events, criminal investigations, or cases where a Sprint customer consents to sharing location information.
Sprint takes our customers’ privacy extremely seriously and all law enforcement and public safety requests for customer location information are processed in accordance with applicable state and federal laws.
A corporate spokesperson for Sprint also responded directly on Chris’s blog late last night:
As a follow-up to my earlier e-mail, I wanted to properly characterize the “8 million” figure that you prominently feature in your blog and email.
The “8 million” figure does not represent the number of customers whose location information was provided to law enforcement, nor does it represent the instances or cases in which law enforcement contacted Sprint seeking customer location information.
Instead, the figure represents the number of individual automated requests, or “pings”, for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year. The critical point is that a single case or investigation may generate thousands of individual requests to the network as the law enforcement or public safety agency attempts to track or locate an individual over the course of days or weeks.
As a result, the 8 million automated requests or pings were generated by thousands (NOT millions) of instances in which law enforcement or public safety agencies sought customer location information. Several thousand instances over the course of a year should not be shocking given that we have 47 million customers and requests from law enforcement and public safety agencies are due to a variety of circumstances: exigent or emergency situations, criminal investigations, or cases where a Sprint customer consents to sharing location information.
It’s also important to note that we complied with applicable state and federal laws in all of the instances where we fulfilled a law enforcement or public safety request for location information.
While the clarification may damp down some of the furor Chris’s blog post generated, Chris’s point about the lack of transparency and reporting of actual stats remains and Kevin Bankston of EFF points out that Sprint’s response raises more questions than it answers. It would be a shame, however, if the story becomes overfocused on Sprint as for all we know, other telcos may be handling even more requests.
Those interested in the issue will find the comments on Chris’s blog interesting, and I’ll try to compile some other reactions from around the web to link to over the course of the next week.